AWS-IAM-Root-MFA-Enabled

Owned by Saumitra Das
Last updated: Nov 30, 2021 by naveen
3 min read

Severity: Critical

Description: This control ensures multi-factor authentication device is enabled for the root account. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device.

Remediation Steps:

To configure and enable a virtual MFA device for use with your root user:

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Do one of the following:

    • Option 1: Choose Dashboard, and under Security Status, expand Activate MFA on your root user.

    • Option 2: On the right side of the navigation bar, choose your account name, and choose Security Credentials. If necessary, choose Continue to Security Credentials. Then expand the Multi-Factor Authentication (MFA) section on the page.

  3. Choose Manage MFA or Activate MFA, depending on which option you chose in the preceding step.

  4. In the wizard, choose A virtual MFA device and then choose Next Step.

  5. Confirm that a virtual MFA app is installed on the device, and then choose Next Step. IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the secret configuration key that is available for manual entry on devices that do not support QR codes.

  6. With the Manage MFA Device wizard still open, open the virtual MFA app on the device.

  7. If the virtual MFA software supports multiple accounts (multiple virtual MFA devices), then choose the option to create a new account (a new virtual device).

  8. The easiest way to configure the app is to use the app to scan the QR code. If you cannot scan the code, you can type the configuration information manually.

    • To use the QR code to configure the virtual MFA device, follow the app instructions for scanning the code. For example, you might need to tap the camera icon or tap a command like Scan account barcode, and then use the device's camera to scan the QR code.

    • If you cannot scan the code, type the configuration information manually by typing the Secret Configuration Key value into the app. For example, to do this in the AWS Virtual MFA app, choose Manually add account, and then type the secret configuration key and choose Create.

    Important

    Make a secure backup of the QR code or secret configuration key, or make sure that you enable multiple virtual MFA devices for your account. A virtual MFA device might become unavailable, for example, if you lose the smartphone where the virtual MFA device is hosted). If that happens, you will not be able to sign in to your account and you will have to contact customer service to remove MFA protection for the account.

    Note

    The QR code and secret configuration key generated by IAM are tied to your AWS account and cannot be used with a different account. They can, however, be reused to configure a new MFA device for your account in case you lose access to the original MFA device.

    The device starts generating six-digit numbers.

  9. In the Manage MFA Device wizard, in the Authentication Code 1 box, type the six-digit number that's currently displayed by the MFA device. Wait up to 30 seconds for the device to generate a new number, and then type the new six-digit number into the Authentication Code 2 box.

    Important

    Submit your request immediately after generating the codes. If you generate the codes and then wait too long to submit the request, the MFA device successfully associates with the user but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can resync the device.

  10. Choose Next Step, and then choose Finish.

The device is ready for use with AWS.

Changes in account credentials may take up to 4 hours to get reflected in the AWS IAM evaluations. The time taken depends on when the last credential report was fetched by the Cloud View service and the time when changes were made in AWS IAM

Important:

  • Changes in account credentials may take up to 4 hours to get reflected in the AWS IAM evaluations

Reference:

 

Blue Hexagon Proprietary